Previous Thread
Next Thread
Print Thread
Rate Thread
Page 1 of 2 1 2
Crap, my computer has been rootkitted
#382861 09/15/12 08:40 PM
Joined: Dec 2007
Posts: 7,786
fredk Offline OP
axiomite
OP Offline
axiomite
Joined: Dec 2007
Posts: 7,786
Any of the IT guys here have any experience with the zeroaccess virus?

I got hit by a fake antivirus the other day and instead of immediately booting into safe mode I tried to remove it and think I ended up installing the rootkit (via elevated process on Vista).

I'm going to restore from an Axronis image to clean up the computer, but the image is old, so I'm copying some files from my desktop onto a thumb drive.

I know this is a nasty botnet virus, so I want to be cautious.

My questions are as follows:

1. Do I need to be concerned with this virus propagating onto the thumb drive? Thumb drives are cheap and the data I copied is useful, but not critical. I'll toss the drive if there is a risk.

2. Might this virus insert itself into data files on the computer? I've partitioned the drive so that I can restore just the OS onto a system drive. In the past that has been sufficient to clean up infections. Again, I want to be extra cautious.

Thanks.


Fred

-------
Blujays1: Spending Fred's money one bottle at a time, no two... Oh crap!
Re: Crap, my computer has been rootkitted
fredk #382862 09/15/12 10:47 PM
Joined: May 2003
Posts: 18,044
shareholder in the making
Offline
shareholder in the making
Joined: May 2003
Posts: 18,044
I would use something like this: http://www.symantec.com/security_response/writeup.jsp?docid=2011-121607-4952-99

Generally they work ok, and then you won't have to roll it back.


I am the Doctor, and THIS... is my SPOON!
Re: Crap, my computer has been rootkitted
Ken.C #382864 09/16/12 01:50 AM
Joined: Dec 2007
Posts: 7,786
fredk Offline OP
axiomite
OP Offline
axiomite
Joined: Dec 2007
Posts: 7,786
Well, mixed results from that. It seems to have removed something as my AV is back, Something nasty is still trying to load and is being blocked by the AV. I'm running a full scan now.

Update service is gone as are a few other services. Trying to use the Catalyst Control Center results in a bluescreen.

I'll try a repair install of the OS when the scan is done.

I'm not entirely convinced the computer is clean though. I may still re-image.


Fred

-------
Blujays1: Spending Fred's money one bottle at a time, no two... Oh crap!
Re: Crap, my computer has been rootkitted
fredk #382865 09/16/12 02:07 AM
Joined: May 2003
Posts: 18,044
shareholder in the making
Offline
shareholder in the making
Joined: May 2003
Posts: 18,044
Do you have system restore turned on? I would try reverting to a checkpoint about a week in the past if so. That'll also save you some time.


I am the Doctor, and THIS... is my SPOON!
Re: Crap, my computer has been rootkitted
Ken.C #382868 09/16/12 05:29 PM
Joined: Dec 2007
Posts: 7,786
fredk Offline OP
axiomite
OP Offline
axiomite
Joined: Dec 2007
Posts: 7,786
Well, no restore points. The scan picked up 8 or 9 virus files, all in temp directories.

I still feel more comfortable with doing an image restore to make absolutely sure my system is clean. Too bad I havn't kept more up to date on my imaging. blush It won't make a big difference as I have not changed the system much over time. I'll have an hour or so of updates to install.


Fred

-------
Blujays1: Spending Fred's money one bottle at a time, no two... Oh crap!
Re: Crap, my computer has been rootkitted
fredk #382869 09/16/12 05:38 PM
Joined: Jan 2011
Posts: 1,291
J
connoisseur
Offline
connoisseur
J
Joined: Jan 2011
Posts: 1,291
before doing an image restore, i would prefer to use the system after the cleanup; it might be ok and then you will not spend hours restoring it.
if it's still there, you will soon know.

Re: Crap, my computer has been rootkitted
fredk #382870 09/16/12 10:13 PM
Joined: Jun 2007
Posts: 4,322
connoisseur
Offline
connoisseur
Joined: Jun 2007
Posts: 4,322
Fred, have you considered using the free services from agents on a website like Bleeping Computer? I had a nasty virus a couple years ago, and with the assistance of an agent from the same site, my computer was virus free and in perfect working order. Here's a recent thread regarding the same trojan that was removed.


The only reasonable argument for owning a gun is to protect yourself from the police.
Re: Crap, my computer has been rootkitted
J. B. #382871 09/16/12 10:14 PM
Joined: Dec 2007
Posts: 7,786
fredk Offline OP
axiomite
OP Offline
axiomite
Joined: Dec 2007
Posts: 7,786
From Symantec:
Quote:
Furthermore, it opens a back door and connects to a command and control (C&C) server, which allows the remote attacker access to the compromised computer. The attacker is then able to perform any number of actions on the computer, and the computer may then become part of a wider botnet.

This is why I am concerned. If this was nuisance malware, I would clean up and wait. If my computer is now part of a botnet, I'm not so sure I would see obvious activity.


Fred

-------
Blujays1: Spending Fred's money one bottle at a time, no two... Oh crap!
Re: Crap, my computer has been rootkitted
Ya_basta #382872 09/16/12 10:16 PM
Joined: Dec 2007
Posts: 7,786
fredk Offline OP
axiomite
OP Offline
axiomite
Joined: Dec 2007
Posts: 7,786
Cam. I started at Bleeping computer. It was one of their tools that detected signs of zeroaccess.


Fred

-------
Blujays1: Spending Fred's money one bottle at a time, no two... Oh crap!
Re: Crap, my computer has been rootkitted
fredk #382873 09/16/12 10:35 PM
Joined: Jun 2007
Posts: 4,322
connoisseur
Offline
connoisseur
Joined: Jun 2007
Posts: 4,322
Originally Posted By: fredk
Cam. I started at Bleeping computer. It was one of their tools that detected signs of zeroaccess.


Did an agent pick up your case?


The only reasonable argument for owning a gun is to protect yourself from the police.
Page 1 of 2 1 2

Moderated by  alan, Amie, Andrew, axiomadmin, Brent, Debbie, Ian, Jc 

Link Copied to Clipboard

Need Help Graphic

Forum Statistics
Forums16
Topics24,401
Posts432,376
Members15,421
Most Online2,082
Jan 22nd, 2020
Top Posters
Ken.C 18,044
pmbuko 16,437
SirQuack 13,690
CV 11,816
MarkSJohnson 11,451
Who's Online Now
0 members (), 246 guests, and 3 robots.
Key: Admin, Global Mod, Mod
Newsletter Signup
Powered by UBB.threads™ PHP Forum Software 7.7.4